Skip to content

deps: bump go-sdk to v1.6.1 and drop CrossOriginProtection workaround#2564

Merged
SamMorrowDrums merged 1 commit into
mainfrom
sammorrowdrums/go-sdk-1-6-1-upgrade
May 28, 2026
Merged

deps: bump go-sdk to v1.6.1 and drop CrossOriginProtection workaround#2564
SamMorrowDrums merged 1 commit into
mainfrom
sammorrowdrums/go-sdk-1-6-1-upgrade

Conversation

@SamMorrowDrums
Copy link
Copy Markdown
Collaborator

@SamMorrowDrums SamMorrowDrums commented May 28, 2026

Summary

Bumps github.com/modelcontextprotocol/go-sdk from v1.6.0 to v1.6.1 and removes the CrossOriginProtection accommodation we added in #2359 — the SDK now does the right thing by default, so the workaround is no longer needed (and uses a deprecated API).

Goal: allow end users to connect via web MCP clients without us holding onto a deprecated escape hatch.

What changed in the SDK

SDK version Behavior
≤ v1.5.0 Cross-origin check enabled by default; our AddInsecureBypassPattern("/") was required for browser clients
v1.6.0 Check became opt-in: nil CrossOriginProtection = no check (matches our intent)
v1.6.1 StreamableHTTPOptions.CrossOriginProtection deprecated (removed in v1.8.0); recommended pattern is to wrap the handler with middleware

v1.6.1 also adds an MCPGODEBUG=disablecontenttypecheck=1 escape hatch. We don't need it — the SDK already uses mime.ParseMediaType, so application/json; charset=utf-8 works (the NormalizeContentType workaround was already removed in 91d6465).

Diff highlights

  • pkg/http/handler.go: drop http.NewCrossOriginProtection() + AddInsecureBypassPattern("/"); leave CrossOriginProtection unset so we don't depend on a deprecated field.
  • go.mod / go.sum / third-party-licenses.*.md: bump go-sdk to v1.6.1 and regenerate licenses.

Regression coverage

Existing tests in pkg/http/handler_test.go already guard the browser-client scenario and continue to pass:

  • TestCrossOriginProtection — POSTs with Sec-Fetch-Site: cross-site + Origin: https://example.com, same-origin, and no Sec-Fetch-Site (native client) — all assert 200 OK.
  • TestContentTypeHandling — verifies application/json; charset=utf-8 (and friends) are accepted.

Plus: script/lint clean, script/test green, script/licenses regenerated.

Follow-up

Companion PR in github/github-mcp-server-remote will bump its own go-sdk dep to v1.6.1 and pick up the new github-mcp-server release. No code changes needed there — the remote consumes pkg/http and ossmiddleware.SetCorsHeaders from this repo, so all accommodations live here.

Supersedes #2541 (Dependabot).

@SamMorrowDrums
deps: bump go-sdk to v1.6.1 and drop CrossOriginProtection workaround
0132e05 
Bumps github.com/modelcontextprotocol/go-sdk from v1.6.0 to v1.6.1 and
removes the CrossOriginProtection bypass we previously installed on the
StreamableHTTP handler.

As of go-sdk v1.6.0 the cross-origin check is opt-in: a nil
CrossOriginProtection on StreamableHTTPOptions means no check is run.
v1.6.1 also marks the field itself as deprecated (the SDK recommends
wrapping the handler with middleware instead, and the field will be
removed in v1.8.0).

This server authenticates via bearer tokens, not cookies, so the
Sec-Fetch-Site CSRF check is unnecessary and would block browser-based
MCP clients. Leaving CrossOriginProtection unset preserves that
behavior without depending on a deprecated API.

Supersedes #2541.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@SamMorrowDrums SamMorrowDrums requested a review from a team as a code owner May 28, 2026 13:04
Copilot AI review requested due to automatic review settings May 28, 2026 13:04
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Bumps the modelcontextprotocol/go-sdk dependency to v1.6.1 and removes the now-deprecated CrossOriginProtection workaround. Since v1.6.0, leaving CrossOriginProtection nil disables the check by default, which matches the desired behavior for bearer-token-authenticated browser MCP clients.

Changes:

  • Drop http.NewCrossOriginProtection() + AddInsecureBypassPattern("/") in pkg/http/handler.go and replace with explanatory comment.
  • Bump go-sdk to v1.6.1 in go.mod / go.sum.
  • Regenerate third-party license files for the new version.
Show a summary per file
File Description
pkg/http/handler.go Removes deprecated CrossOriginProtection option; relies on SDK v1.6.0+ nil-default behavior.
go.mod Bumps go-sdk to v1.6.1.
go.sum Updated module hashes for v1.6.1.
third-party-licenses.darwin.md Regenerated license reference for v1.6.1.
third-party-licenses.linux.md Regenerated license reference for v1.6.1.
third-party-licenses.windows.md Regenerated license reference for v1.6.1.

Copilot's findings

  • Files reviewed: 5/6 changed files
  • Comments generated: 0

@SamMorrowDrums SamMorrowDrums merged commit 6e0af32 into main May 28, 2026
20 checks passed
@SamMorrowDrums SamMorrowDrums deleted the sammorrowdrums/go-sdk-1-6-1-upgrade branch May 28, 2026 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SamMorrowDrums